In [29]:
import pandas as pd

# Read data from file csv

In [30]:
df = pd.read_csv('data/cybersecurity_attacks.csv')
df.head().T

Unnamed: 0,0,1,2,3,4
Timestamp,2023-05-30 06:33:58,2020-08-26 07:08:30,2022-11-13 08:23:25,2023-07-02 10:38:46,2023-07-16 13:11:07
Source IP Address,103.216.15.12,78.199.217.198,63.79.210.48,163.42.196.10,71.166.185.76
Destination IP Address,84.9.164.252,66.191.137.154,198.219.82.17,101.228.192.255,189.243.174.238
Source Port,31225,17245,16811,20018,6131
Destination Port,17616,48166,53600,32534,26646
Protocol,ICMP,ICMP,UDP,UDP,TCP
Packet Length,503,1174,306,385,1462
Packet Type,Data,Data,Control,Data,Data
Traffic Type,HTTP,HTTP,HTTP,HTTP,DNS
Payload Data,Qui natus odio asperiores nam. Optio nobis ius...,Aperiam quos modi officiis veritatis rem. Omni...,Perferendis sapiente vitae soluta. Hic delectu...,Totam maxime beatae expedita explicabo porro l...,Odit nesciunt dolorem nisi iste iusto. Animi v...


# List columns

In [31]:
df.columns

Index(['Timestamp', 'Source IP Address', 'Destination IP Address',
       'Source Port', 'Destination Port', 'Protocol', 'Packet Length',
       'Packet Type', 'Traffic Type', 'Payload Data', 'Malware Indicators',
       'Action Taken', 'Severity Level', 'User Information',
       'Device Information', 'Network Segment', 'Geo-location Data',
       'Proxy Information', 'Firewall Logs', 'IDS/IPS Alerts', 'Log Source'],
      dtype='object')

# Number of rows and columns

In [32]:
num_rows, num_cols = df.shape
print(f'Number of rows: {num_rows}')
print(f'Number of columns: {num_cols}')

Number of rows: 40000
Number of columns: 25


# Meaning of each column
**1. Time stamp**: The time at which the network activity occurred. <br>
**2. Source IP Address**: The IP address of the device that initiated the network activity.<br>
**3. Destination IP Address**: The IP address of the device that received the network activity.<br>
**4. Source Port**: The port number used by the source IP address.<br>
**5. Destination Port**: The port number used by the destination IP address.<br>
**6. Protocol**: The communication protocol used for the network activity. (TCP, UDP, etc.)<br>
**7. Packet Length**: The size of the packet in bytes.<br>
**8. Packet Type**: Type of packet (data packet, control packet, etc.)<br>
**9. Traffic Type**: The type of traffic (web traffic, email traffic, etc.)<br>
**10. Payload Data**: The data contained in the packet.<br>
**11. Malware Indicators**: Indicators of potentially malicious activity or presence of malware.<br>
**12. Anomaly Scores**: Scores indicating deviations from expected behavior, used for anomaly detection.<br>
**13. Alerts/Warning**: Notifications or warnings generated by security systems or monitoring tools.<br>
**14. Attack Type**: Type of attack detected or suspected. (DDoS, SQL injection, etc.)<br>
**15. Attack Signature**: Specific patterns or signatures associated with known attacks.<br>
**16. Action Taken**: The response or action taken in response to the network activity.<br>
**17. Severity Level**: The level of severity associated with an alert or event. (Low, Medium, High, etc.)<br>
**18. User Information**: Information about the user involved in the network activity.<br>
**19. Device Information**: Information about the device involved in the network activity. (device type, operating system, etc.)<br>
**20. Network Segment**: The segment or subnet of the network where the activity occurred.<br>
**21. Geo-location Data**: Geographic location data associated with the IP addresses.<br>
**22. Proxy Information**: Information about proxy servers or intermediaries involved in the network activity.<br>
**23. Firewall Logs**: Logs generated by firewall devices indicating allowed or blocked traffic.<br>
**24. IDS/IPS Alerts**: Alerts generated by intrusion detection or prevention systems.<br>
**25. Log Source**: The source or origin of the log entry.(name of the logging device or system).<br>

# Check duplicated rows

In [33]:
duplicate_rows = df.duplicated().sum()
duplicate_rows

0

# Check missing/null values

In [34]:
df.isnull().sum().sort_values(ascending=False)

IDS/IPS Alerts            20050
Malware Indicators        20000
Firewall Logs             19961
Proxy Information         19851
Attack Type                   0
Geo-location Data             0
Network Segment               0
Device Information            0
User Information              0
Severity Level                0
Action Taken                  0
Attack Signature              0
Timestamp                     0
Source IP Address             0
Anomaly Scores                0
Payload Data                  0
Traffic Type                  0
Packet Type                   0
Packet Length                 0
Protocol                      0
Destination Port              0
Source Port                   0
Destination IP Address        0
Log Source                    0
dtype: int64

#### Missing values in each column
- Alert/Warning: 20067
- IDS/IPS Alerts: 20050
- Malware Indicators: 20000
- Firewall Logs: 19961
- Proxy Information: 19961

In [35]:
df.isnull().sum() / len(df) * 100

Timestamp                  0.0000
Source IP Address          0.0000
Destination IP Address     0.0000
Source Port                0.0000
Destination Port           0.0000
Protocol                   0.0000
Packet Length              0.0000
Packet Type                0.0000
Traffic Type               0.0000
Payload Data               0.0000
Malware Indicators        50.0000
Anomaly Scores             0.0000
Attack Type                0.0000
Attack Signature           0.0000
Action Taken               0.0000
Severity Level             0.0000
User Information           0.0000
Device Information         0.0000
Network Segment            0.0000
Geo-location Data          0.0000
Proxy Information         49.6275
Firewall Logs             49.9025
IDS/IPS Alerts            50.1250
Log Source                 0.0000
dtype: float64

# Check data types

In [36]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 40000 entries, 0 to 39999
Data columns (total 25 columns):
 #   Column                  Non-Null Count  Dtype  
---  ------                  --------------  -----  
 0   Timestamp               40000 non-null  object 
 1   Source IP Address       40000 non-null  object 
 2   Destination IP Address  40000 non-null  object 
 3   Source Port             40000 non-null  int64  
 4   Destination Port        40000 non-null  int64  
 5   Protocol                40000 non-null  object 
 6   Packet Length           40000 non-null  int64  
 7   Packet Type             40000 non-null  object 
 8   Traffic Type            40000 non-null  object 
 9   Payload Data            40000 non-null  object 
 10  Malware Indicators      20000 non-null  object 
 11  Anomaly Scores          40000 non-null  float64
 13  Attack Type             40000 non-null  object 
 14  Attack Signature        40000 non-null  object 
 15  Action Taken            40000 non-null

# Handle missing values


**Alerts/Warnings**: If the column has value 'Alert Triggered', then the value of 'Alerts/Warnings' is 'yes'. Otherwise, the value is 'no'.<br>

In [37]:
# Check for unique values in the 'Alerts/Warnings' column
df['Alerts/Warnings'].unique()

array([nan, 'Alert Triggered'], dtype=object)

In [38]:
# Replace 'Alert Triggered' with 'yes' and 'No Alert' with 'no'
df['Alerts/Warnings'] = df['Alerts/Warnings'].apply(lambda x:'yes' if x == 'Alert Triggered' else 'no')

**Malware Indicators**: if the column has missing value, it will be filled with 'No Dectection'

In [39]:
# Check for unique values in the 'Alerts/Warnings' column
df['Malware Indicators'].unique()

array(['IoC Detected', nan], dtype=object)

In [40]:
# Replace NaN values with 'No Detection'
df['Malware Indicators'] = df['Malware Indicators'].apply(lambda x: 'No Dectection' if pd.isna(x) else x)

**Proxy Information**: if the column has missing value, it will be filled with 'No Proxy'

In [41]:
# Check for unique values in the 'Malware Indicators' column
df['Proxy Information'].unique()

array(['150.9.97.135', nan, '114.133.48.179', ..., '60.51.30.46',
       '137.76.130.8', '112.169.115.139'], dtype=object)

In [42]:
# Replace NaN values with 'No Proxy'
df['Proxy Information'] = df['Proxy Information'].apply(lambda x: 'No Proxy' if pd.isna(x) else x)

**Firewall Logs**: if the column has missing value, it will be filled with 'No Firewall'

In [43]:
# Check for unique values in the 'Proxy Information' column
df['Firewall Logs'].unique()

array(['Log Data', nan], dtype=object)

In [44]:
# Replace NaN values with 'No Data'
df['Firewall Logs'] = df['Firewall Logs'].apply(lambda x: 'No Data' if pd.isna(x) else x)

**IDS/IPS Alerts**: if the column has missing value, it will be filled with 'No IDS/IPS'

In [45]:
# Check for unique values in the 'Firewall Logs' column
df['IDS/IPS Alerts'].unique()

array([nan, 'Alert Data'], dtype=object)

In [46]:
# Replace NaN values with 'No Data' 
df['IDS/IPS Alerts'] = df['IDS/IPS Alerts'].apply(lambda x: 'No Data' if pd.isna(x) else x)

In [47]:
df.isnull().sum().sort_values(ascending=False)

Timestamp                 0
Attack Type               0
IDS/IPS Alerts            0
Firewall Logs             0
Proxy Information         0
Geo-location Data         0
Network Segment           0
Device Information        0
User Information          0
Severity Level            0
Action Taken              0
Attack Signature          0
Source IP Address         0
Anomaly Scores            0
Malware Indicators        0
Payload Data              0
Traffic Type              0
Packet Type               0
Packet Length             0
Protocol                  0
Destination Port          0
Source Port               0
Destination IP Address    0
Log Source                0
dtype: int64

# Handle attribute 'Device Information'

In [48]:
df['Device Information']

0        Mozilla/5.0 (compatible; MSIE 8.0; Windows NT ...
1        Mozilla/5.0 (compatible; MSIE 8.0; Windows NT ...
2        Mozilla/5.0 (compatible; MSIE 9.0; Windows NT ...
3        Mozilla/5.0 (Macintosh; PPC Mac OS X 10_11_5; ...
4        Mozilla/5.0 (compatible; MSIE 5.0; Windows NT ...
                               ...                        
39995    Mozilla/5.0 (iPad; CPU iPad OS 14_2_1 like Mac...
39996    Mozilla/5.0 (Windows; U; Windows 98; Win 9x 4....
39997    Mozilla/5.0 (Windows; U; Windows NT 4.0) Apple...
39998    Mozilla/5.0 (X11; Linux i686) AppleWebKit/536....
39999    Mozilla/5.0 (iPod; U; CPU iPhone OS 3_0 like M...
Name: Device Information, Length: 40000, dtype: object

## Create a 'Device/OS' column

In [49]:
import re

devices = [
    r'Windows',
    r'Linux',
    r'Android',
    r'iPad',
    r'iPod',
    r'iPhone',
    r'Macintosh']


def device_os_finder(user_agent):
    for device in devices:
        match_device = re.search(device, user_agent, re.I)  # re.I makes the search case-insensitive
        if match_device:
            return match_device.group()
    return 'Unknown'

# Extract device or OS
df['Device/OS'] = df['Device Information'].apply(device_os_finder)
df['Device/OS'].head(10)

0      Windows
1      Windows
2      Windows
3    Macintosh
4      Windows
5        Linux
6        Linux
7    Macintosh
8    Macintosh
9      Windows
Name: Device/OS, dtype: object

In [50]:
df['Device/OS'].value_counts()

Device/OS
Windows      17953
Linux         8840
Macintosh     5813
iPod          2656
Android       1620
iPhone        1567
iPad          1551
Name: count, dtype: int64

## Create a 'Browser' column

In [51]:
df['Browser'] = df['Device Information'].str.split('/').str[0]
df['Browser']

0        Mozilla
1        Mozilla
2        Mozilla
3        Mozilla
4        Mozilla
          ...   
39995    Mozilla
39996    Mozilla
39997    Mozilla
39998    Mozilla
39999    Mozilla
Name: Browser, Length: 40000, dtype: object

In [52]:
df['Browser'].value_counts()

Browser
Mozilla    31951
Opera       8049
Name: count, dtype: int64

# Handle 'Timestamp' attribute

In [53]:
df['Timestamp'] = pd.to_datetime(df['Timestamp'])
df['Timestamp'].info()

<class 'pandas.core.series.Series'>
RangeIndex: 40000 entries, 0 to 39999
Series name: Timestamp
Non-Null Count  Dtype         
--------------  -----         
40000 non-null  datetime64[ns]
dtypes: datetime64[ns](1)
memory usage: 312.6 KB


In [54]:
df['Year'] = df['Timestamp'].dt.year
df['Month'] = df['Timestamp'].dt.month
df['DayofWeek'] = df['Timestamp'].dt.dayofweek
df['Day'] = df['Timestamp'].dt.day
df['Hour'] = df['Timestamp'].dt.hour
df['Minute'] = df['Timestamp'].dt.minute
df['Second'] = df['Timestamp'].dt.second

df

Unnamed: 0,Timestamp,Source IP Address,Destination IP Address,Source Port,Destination Port,Protocol,Packet Length,Packet Type,Traffic Type,Payload Data,...,Log Source,Device/OS,Browser,Year,Month,DayofWeek,Day,Hour,Minute,Second
0,2023-05-30 06:33:58,103.216.15.12,84.9.164.252,31225,17616,ICMP,503,Data,HTTP,Qui natus odio asperiores nam. Optio nobis ius...,...,Server,Windows,Mozilla,2023,5,1,30,6,33,58
1,2020-08-26 07:08:30,78.199.217.198,66.191.137.154,17245,48166,ICMP,1174,Data,HTTP,Aperiam quos modi officiis veritatis rem. Omni...,...,Firewall,Windows,Mozilla,2020,8,2,26,7,8,30
2,2022-11-13 08:23:25,63.79.210.48,198.219.82.17,16811,53600,UDP,306,Control,HTTP,Perferendis sapiente vitae soluta. Hic delectu...,...,Firewall,Windows,Mozilla,2022,11,6,13,8,23,25
3,2023-07-02 10:38:46,163.42.196.10,101.228.192.255,20018,32534,UDP,385,Data,HTTP,Totam maxime beatae expedita explicabo porro l...,...,Firewall,Macintosh,Mozilla,2023,7,6,2,10,38,46
4,2023-07-16 13:11:07,71.166.185.76,189.243.174.238,6131,26646,TCP,1462,Data,DNS,Odit nesciunt dolorem nisi iste iusto. Animi v...,...,Firewall,Windows,Mozilla,2023,7,6,16,13,11,7
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
39995,2023-05-26 14:08:42,26.36.109.26,121.100.75.240,31005,6764,UDP,1428,Control,HTTP,Quibusdam ullam consequatur consequuntur accus...,...,Firewall,iPad,Mozilla,2023,5,4,26,14,8,42
39996,2023-03-27 00:38:27,17.21.163.81,196.108.134.78,2553,28091,UDP,1184,Control,HTTP,Quaerat neque esse. Animi expedita natus commo...,...,Firewall,Windows,Mozilla,2023,3,0,27,0,38,27
39997,2022-03-31 01:45:49,162.35.217.57,98.107.0.15,22505,25152,UDP,1043,Data,DNS,Enim at aspernatur illum. Saepe numquam eligen...,...,Server,Windows,Mozilla,2022,3,3,31,1,45,49
39998,2023-09-22 18:32:38,208.72.233.205,173.79.112.252,20013,2703,UDP,483,Data,FTP,Officiis dolorem sed harum provident earum dis...,...,Server,Linux,Mozilla,2023,9,4,22,18,32,38
